Here's a set of patches that implement a very basic set of COW credentials. Itcompiles, links and runs for x86_64 with EXT3, (V)FAT, NFS, AFS, SELinux andkeyrings all enabled. I've included a patch that should make most of the otherarchs and filesystems work, but I haven't yet merged it into the primarypatches.

The cred struct contains the credentials that the kernel needs to act uponsomething or to create something. Credentials that govern how a task may beacted upon remain in the task struct.

In essence, the introduction of the cred struct separates a task's subjectivecontext (the authority with which it acts) from its objective context (theauthorisation required by others that want to act upon it), and permitsoverriding of the subjective context by a kernel service so that the servicecan act on the task's behalf to do something the task couldn't do on its ownauthority.

Because keyrings and effective capabilities can be installed or changed in oneprocess by another process, they are shadowed by the cred structure rather thanresiding there. Additionally, the session and process keyrings are sharedbetween all the threads of a process. The shadowing is performed byupdate_current_cred() which is invoked on entry to any system call that mightneed it.

A thread's cred struct may be read by that thread without any RCU precautionsas only that thread may replace the its own cred struct. To change a thread'scredentials, dup_cred() should be called to create a new copy, the copy shouldbe changed, and then set_current_cred() should be called to make it live. Oncelive, it may not be changed as it may then be shared with file descriptors, RPCcalls and other threads. RCU will be used to dispose of the old structure.

(2) Introduce a security pointer into the cred struct and add LSM hooks to duplicate the information pointed to thereby and to free it.

Make SELinux implement the hooks, splitting out some the task security data to be associated with struct cred instead.

(3) Make the security functions that permit task SID retrieval return both the objective and subjective SIDs as required.

(4) Migrate the effective capabilities mask into the cred struct.

(5) Fix up all the other archs and filesystems that I can manage to compile. This should be merged into the preceding patches at some point.

(6) Provide a pair of LSM hooks so that a kernel service can (a) get a credential record representing the authority with which it is permitted to act, and (b) alter the file creation context in a credential record.

In addition, as this works with cachefiles, I've included all the FS-Cache,CacheFiles, NFS and AFS patches.

To substitute a temporary set of credentials, the cred struct attached to thetask should be altered, like so:

/* rotate in the new creds, saving the old */ cred = __set_current_cred(get_cred(my_special_cred));

do_privileged_stuff();

/* restore the old creds */ set_current_cred(cred); }

One thing I'm not certain about is how this should interact with /proc, whichcan display some of the stuff in the cred struct. I think it may be necessaryto have a real cred pointer and an effective cred pointer, with the contents of/proc coming from the real, but the effective governing what actually goes on.

Furthemore, I was thinking that it was a good idea to move the setting of i_uidand i_gid to current->cred->i_[ug]id into new_inode(), but now I'm not so sure,since the kernel special filesystems may assume that the i_uid and i_giddefault to 0. Any thoughts on this?

The NFS FS-Cache sharing patch still needs fixing up to correctly do thesharing thing when local caching is enabled.